browserify-shim is vulnerable to prototype pollution. The vulnerability exists due to the separateExposeGlobals
function in resolve-shims.js
, which doesn’t restrict __proto__
or constructor
keys in the supplied shim which allows an attacker to modify object prototypes.
github.com/advisories/GHSA-866w-wm4h-95c6
github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L130
github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338
github.com/thlorenz/browserify-shim/issues/245